SPL
List of Failed Login Attempts in Linux
Description
This Splunk search will show a count of all user accounts and a number of times they have attempted to logon. The REGEX is written into the query, remove it if you are already extracting those field names:
1 1
sourcetype=linux_secure
| rex "\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s\S+\s(?gdm-\w+)\S:\s"
| search session=gdm-password
| rex "\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s(?\S+)\s.+\Sgdm-password:auth\S:\s(?\w+\s\w+);\s.+user=(?\S+)"
| search authstatus="authentication failure"
| stats count by username
| sort - count
Comments
4 total
or do a count by source IP and map them \" | iplocation src_ip | geostats count by src_ip\". See the country of origin for your attacks on a map!
This is assuming that GDM is the interface fronting the login?
its not working at all.....why?
sourcetype=linux_secure \r\n| rex \"\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s\S+\s(?gdm-\w+)\S:\s\" \r\n| search session=gdm-password \r\n| rex \"\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s(?\S+)\s.+\Sgdm-password:auth\S:\s(?\w+\s\w+);\s.+user=(?\S+)\" \r\n| search authstatus=\"authentication failure\" \r\n| stats count by username \r\n| sort - count
Leave a comment
You must log in to post a comment.